Bug 205744

Summary: Make text track loading set same-origin fallback flag
Product: WebKit Reporter: Rob Buis <rbuis>
Component: New BugsAssignee: Rob Buis <rbuis>
Status: RESOLVED INVALID    
Severity: Normal CC: annevk, cdumez, commit-queue, darin, dbates, eric.carlson, ews-watchlist, glenn, japhet, jer.noble, mkwst, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 216672    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Rob Buis
Reported 2020-01-03 12:16:43 PST
Make text track loading set same-origin fallback flag: https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request
Attachments
Patch (18.35 KB, patch)
2020-01-03 12:25 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Rob Buis
Comment 1 2020-01-03 12:25:43 PST
Created attachment 386706 [details] Patch
Rob Buis
Comment 2 2020-01-03 13:54:37 PST
Comment on attachment 386706 [details] Patch This is the second and final part of the split mentioned in https://bugs.webkit.org/show_bug.cgi?id=205326.
WebKit Commit Bot
Comment 3 2020-01-03 23:57:30 PST
Comment on attachment 386706 [details] Patch Clearing flags on attachment: 386706 Committed r254031: <https://trac.webkit.org/changeset/254031>
WebKit Commit Bot
Comment 4 2020-01-03 23:57:32 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 5 2020-01-03 23:58:19 PST
<rdar://problem/58314610>
Jer Noble
Comment 6 2020-09-17 16:26:34 PDT
Reopening as this patch caused a regression where videos on jw.org fail to show subtitles.
Jer Noble
Comment 7 2020-09-17 16:33:19 PDT
jw.org has captions hosted on Akamai where the .vtt file has CORS headers but the .mp4 file does not. So captions work if `crossorigin=anonymous` is added, but that breaks video rendering. Other browsers play captions fine without the `crossorigin` attribute, and there does not seem to be WPT tests that verify behavior for this scenario (!same origin, no-cors, headers present). Since this caused behavior regressions in the wild, and other browsers have not implemented this same behavior, we're reverting this on trunk for now.
Rob Buis
Comment 8 2020-12-22 01:32:05 PST
@Anne I implemented [1] but it seems to cause regressions in the wild, see comment 7. Do you know whether mozilla implemented this? Should the spec be changed? [1] https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request
Anne van Kesteren
Comment 9 2021-01-06 03:13:51 PST
I guess other browsers do not use "same-origin" as the fallback and rather use "cors" always? And let credentials mode depend on the media element? It seems this is the only case where we pass the same-origin fallback flag and it might not be well tested. I do hope they all enforce CORS as there would be a security problem otherwise. `html/semantics/embedded-content/media-elements/track/track-element/track-data-url.html` does not really seem to test this as data URLs are considered same-origin. That does seem like a useful template to be able to add some cross-origin tests, though testing the credentials part might require some server-side logic as well. I filed https://github.com/whatwg/html/issues/6267 to track this standards-wise.
youenn fablet
Comment 10 2022-04-22 03:23:34 PDT
I validated Chrome is using same origin as default. Some time has passed and identified breaking websites have been updated. Let's try to reland this behavior in https://bugs.webkit.org/show_bug.cgi?id=239381.
Note You need to log in before you can comment on or make changes to this bug.